Your Vulnerability Management Process Isn’t Working
It’s the question that plagues every CISO: “Have I done enough?”
First, you’ve convinced your partners in the boardroom that vulnerabilities are a serious matter and increased your security budget. Then, you’ve managed to create a collaborative relationship between IT and security teams, coordinating code scans and implementing patches. But every now and then it’s important to zoom out at make sure you’re not missing the security forest for the vulnerability trees.
Everyone involved in vulnerability remediation needs to make sure they’re not making one of the following three common and costly mistakes: focusing too much on scans and discovery, working without an updated asset inventory, and not automating enough.
Misapplied Focus: Looking For Bugs In All the Wrong Places
The standard approach to remediating vulnerabilities begins with scanning the environment for the most recently discovered critical problems and focusing on the most critical vulnerabilities. At first glance, this makes sense. There is a respected list of all vulnerabilities, the CVSS, which assigns a numerical score and severity to each one. Furthermore, there are tools that can easily scan your application, infrastructure and code to find vulnerabilities in your organization. But relying on CVSS scores as the basis for keeping your company secure may cause problems on its own:
First, CVSS severity scores are based on theoretical danger as measured by potential impact in an abstract environment, not real companies. Cybercriminals may just as likely exploit a vulnerability with a “Medium” risk than a “Critical” one, if that’s easier. Malicious actors may even specifically target “low-ranked” problems, assuming they’ll be ignored by those following the traditional approaches.
Because of this over-reliance on CVSS scores, researchers at Carnegie Mellon’s Software Engineering Institute published a paper in December 2018 that argued for scrapping or radically changing the CVSS. The answer to this problem is as simple as it is radical: prioritize vulnerabilities based on the threat that they pose to your system. Instead of prioritizing vulnerability remediation by CVSS severity scores alone, look for the vulnerabilities that pose the greatest risk to your company.
But there’s an even bigger issue than not prioritizing your vulnerabilities and that is not actually remediating them and removing the risk from your network. It’s crucial to understand that there’s a difference between identifying a threat and fixing it. The threat isn’t removed just because you’ve added it to your to do list. A proper vulnerability management plan starts with identifying risk, but it’s the job of the vulnerability manager to implement the right patch or workaround to ensure it no longer poses a threat. Orchestrating patch management correctly, by coordinating with the relevant teams and business leaders, can make remediation a lot smoother
Working Blindly: Using an Outdated Asset Inventory
The problems of misapplied scans are compounded by using an outdated asset inventory. Given the complexities of today’s networks, with their distributed architecture and reliance on a wide variety of components, many IT and security teams do not have a full and complete inventory of network assets. The situation is even more challenging for SaaS vendors, due to the expanded number of points of contact they have and the wide variety of device software that they must interface with.
Having a complete, updated list of assets and understanding how they interconnect is important for any company, but it is essential for vulnerability management teams, especially for those using the recommended risk-based approach. Without seeing how elements of your network interact, it will be impossible to create and execute an organized plan for identifying and remediating vulnerabilities. In fact, without an updated inventory and the means to continuously ensure that it is in fact updated, you are likely to have serious gaps in your risk assessment program.
Enterprise networks especially are prone to change- assets join and disappear at very quick rates. This poses a big challenge to legacy vulnerability management approaches, and demands a more dynamic inventory management tool.
Working without full visibility of your network would be like installing a home security system without knowing where all the doors and windows are.
The Importance of Automation
Automation is extremely useful for remediating vulnerabilities, since it enables you to work as quickly, accurately, and consistently as possible. In a large SaaS environment, there are many instances of the same element; you want to be sure that the same patch is consistently applied to them with the operation ending as soon as possible to avoid any downtime. If you need to apply a set of patches in a particular order or at a particular time, automation makes an important difference. Automation allows you to remediate vulnerabilities at scale, protecting your enterprise against more threats, all while reducing the likelihood of human error. Repetitive manual work is difficult enough to do consistently and accurately when there is no time pressure, but when every second counts, automation is the better choice.
Making Sure You’re Doing Enough
Keeping your company safe is a full-time job. Focusing on the right threats, increasing your network’s visibility, and automating wherever possible are important first steps in improving your company’s vulnerability management process.
To find out more about increasing your network’s safety through continuous vulnerability monitoring and remediation, contact us to schedule a consultation.